THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting - - PowerPoint PPT Presentation

thank you la fin vk intel talk outline
SMART_READER_LITE
LIVE PREVIEW

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting - - PowerPoint PPT Presentation

Dec 07, 2023 43 likes •366 views

THANK YOU La Fin @VK_Intel :) Talk Outline Evolution of Hunting for High- 2 1 Criminal Intent Value Targets APT Approach & 4 Emergence of 3 Ransomware Ransomhacks 5 YARA Hunting for 5 Key Takeaways Crypto Implementations ~whoami

slide-1
SLIDE 1

THANK YOU La Fin @VK_Intel :)

slide-2
SLIDE 2

Evolution of Criminal Intent

Talk Outline

1 3

Hunting for High- Value Targets APT Approach & Ransomware

2 4 Emergence of

Ransomhacks

5 YARA Hunting for

Crypto Implementations

5 Key Takeaways

slide-3
SLIDE 3

~whoami

Vitali Kremez is a well-known ethical hacker. His cybercrime and nation-state research and discoveries led to his direct name appearing in the malware linked to the Russian nation- state group known as "APT28," which is believed to the military

  • peration led by the Russian GRU after his blog revealing one

particular group malware. Moreover, his name oftentimes appears in various malware families from Maze to Medusa ransomware as cybercrime tribute to him by the criminal actors who closely watch and acknowledge his research. Executive & Strategic Advisor
 Personal blog: vkremez.com Twitter: @VK_Intel

slide-4
SLIDE 4

Cybercrime Trends (2020)

  • Sophisticated criminal enterprises such as TrickBot & QakBot &

TA505 - focused on parsing and identifying high-value targets (HVT)

  • Cybercrime Meets APT
  • Ransomhacks to Amplify Extortions
  • Big botnet data collectors necessitate scalable solutions to identify

high-value targets (corporate networks with local domains) versus “useless” infections

  • Simple idea: Squeeze as £ / € / $ value from your bots as possible
  • Banking Malware
  • Credential Stealer
  • Miner
  • Ransomware!

Reference: “Charting the Next Cybercrime Frontier https://www.youtube.com/watch?v=ptL0aTYzRfM

slide-5
SLIDE 5

Father of Crimeware: Slavik

  • P2PZeuS group refer to

themselves as “Business Club"

  • They target wholesale banking

globally

  • Fraud amounts are much higher
  • Networks of fake companies are

used as mule accounts

  • Build a new attack model: Hybrid

attack

  • “Business Club” also introduces

CryptoLocker

  • First real ransomware
slide-6
SLIDE 6

Hunting for High-Value Targets: Network Parsing & High-Value Targets

slide-7
SLIDE 7

Emotet (Loader for Installs) -> TrickBot -> Ryuk Ransomware (via PowerShell Empire/Cobalt Strike)

Reference: “Charting the Next Cybercrime Frontier, or Evolution of Criminal Intent https://www.youtube.com/watch?v=ptL0aTYzRfM
 Credit: Ryuk image (https://nogiartshop.com/products/ryuk)

…Network & Active Directory Parsing!…. Automated Malware + Interactive Human Exploitation Operator

slide-8
SLIDE 8

TrickBot -> Ryuk in the Cloud: CloudJumper MSP Intrusion

Reference:

https://twitter.com/barton_paul/status/1127088679132987394

  • $5 Billion Extortion Amount in Total (!)
slide-9
SLIDE 9

DoppelPaymer Ransomware Attack: PEMEX Intrusion 

  • 565 Bitcoins Extortion
  • Victim Note via Portal Link on Tor

slide-10
SLIDE 10

Clop Ransomware Attack: Rouen University Hospital France

  • Analysis: .cIop
  • Targeted Attack (Linked to TA505)

slide-11
SLIDE 11

Underground Infrastructures for Monetizing Corporate Breaches

ACCESS TO CORPORATE NETWORK Hackers specializing in network vulnerabilities

  • btain access through

compromised RDPs, credential stealers or

  • botnets. Most often,

these accesses are sold directly on the darkweb If the network access is not sold directly, intermediaries offer specific files or financial databases or provide access to the segments of the compromised environment to manipulate it Access owners offer

  • ther hackers to upload

their malicious files (primarily ransomware), establish secure access for one session,

  • r offer to use the

network to disseminate malware via spam or bots

Access-as-a-commodity Access-as-a-service

slide-12
SLIDE 12
  • 2. APT Approach & Ransomware

(TrickBot & “Lazarus” Angle)

slide-13
SLIDE 13

The “Anchor” Mystery

slide-14
SLIDE 14

The “Anchor” Mystery: The North Korean “Lazarus” APT

slide-15
SLIDE 15

The North Korean “Lazarus” APT Angle: Chilean Redbanc Intrusion

slide-16
SLIDE 16
  • III. Ransomhacks (REvil & Maze

Publicizing Leaks)

slide-17
SLIDE 17

MAZE Ransomware: Leak Portal Victim Shaming

slide-18
SLIDE 18

Big Shift - Legal Framework - GDPR: REvil Ransomware

GDPR Implemented on May 25, 2018. Instead of encrypting the files, the extortionists threatened to publish them.

REvil Exploits the GDPR

  • December 2019 REvil claimed a recent ransomware attack against the CyrusOne data center.
slide-19
SLIDE 19

Hunting Using YARA for Malware Developer Crypto Logic Implementation

slide-20
SLIDE 20

YARA Hunting for Code Reuse

  • Malware developers work just like legitimate software

developers, aiming to automate their work and reduce the time wasted on repetitive tasks wherever possible.

  • That means they create and reuse code across their

malware (especially, crypto routines)

  • This has a pay-off for malware hunters: we can learn

how to create search rules to detect this kind of code reuse, reducing our workload, too!

slide-21
SLIDE 21
  • I. TrickBot Crypter Layer (since May

2019)

slide-22
SLIDE 22
  • TrickBot has utilized their own crypting service for

some time now and it has been frequently updated

  • ver time.
  • The latest version utilizes RC4 with a twist and is also

a perfect example for writing a simple unpacker while at the same time being forced to analyze a slightly modified encryption routine. Source: https://zero2auto.com/2020/06/22/decrypting- trickbot-crypter/

TrickBot Custom RC4 : YARA Implementation

slide-23
SLIDE 23
  • ror-13 API hash
  • RC4 key (with NULL

terminator)

  • SBOX 0x184

TrickBot Custom RC4 : YARA Implementation

slide-24
SLIDE 24

rule TrickBot { meta: author = "jreaves" description = "TrickBot Crypter 2019/2020" strings: $snippet1 = {be ?? ?? ?? ?0 8d 7c 24 [1-2] f3 a5} $sbox_size = {be ?? ?? 00 00 f7 f6 [0-1] 81} condition: ($snippet1 and $sbox_size) }

TrickBot Custom RC4 : YARA Implementation

slide-25
SLIDE 25

TrickBot Custom RC4 : YARA Implementation

  • YARA scan for custom SBOX and key for

automated static unpacker scripting

slide-26
SLIDE 26

Netwalker Ransomware Crypto YARA Implementation

Source: https://zero2auto.com/2020/05/19/netwalker-re/

slide-27
SLIDE 27
  • two constant strings

associated with SALSA20

  • r CHACHA20 encryption

and following it is a dword value associated with hashing

Netwalker Ransomware Crypto YARA Implementation

slide-28
SLIDE 28
  • content:”{657870616e6420

33322d62797465206b6578 70616e642031362d627974 65206b982f8a42}”

Netwalker Ransomware Crypto YARA Implementation

slide-29
SLIDE 29

rule NetWalker { strings: $crypto_implement = {657870616e642033322d62797465206b657870616e6 42031362d62797465206b982f8a42} condition: ($crypto_implement) }

Netwalker Ransomware Crypto YARA Implementation

slide-30
SLIDE 30

Key Takeaways & Outlook

  • Automated Malware + Interactive Human

Exploitation Operator -> Convergence of APT & Crimeware

  • Cybercrime Meets APT
  • Hunting Using YARA for Malware Developer

Crypto Logic Implementation is the Key

slide-31
SLIDE 31

Malware Course Author: “Zero2Automated”

  • Created a 10% off coupon the Confidence

attendees (code is “REVERSING2020”) to enroll part of the course (courses.zero2auto.com)

  • Short Description: Developed for those

looking to further enhance their skills in the Malware Analysis/Reverse Engineering field

  • Instructors: Vitali Kremez (@VK_Intel),

Daniel Bunce (@0verfl0w_), Jason Reaves (@sysopfb)

slide-32
SLIDE 32

THANK YOU La Fin